From bf6ab24d480f6ec2cdc3ca90a28b0a8fb7169038 Mon Sep 17 00:00:00 2001 From: Frank Ketelaars Date: Mon, 12 Feb 2024 22:21:56 +0000 Subject: [PATCH] #580 Deploy Red Hat SSO --- .../generic/openshift_redhat_sso/main.yaml | 1 + .../openshift_redhat_sso/preprocessor.py | 18 ++++++++ .../configure-openshift/tasks/main.yml | 30 +++++++------ .../tasks/configure-keycloak.yml | 23 ++++++++++ .../tasks/configure-keycloaks.yml | 6 +++ .../tasks/configure-openshift-redhat-sso.yml | 44 +++++++++++++++++++ .../openshift-redhat-sso/tasks/main.yml | 22 ++++++++++ .../templates/redhat-sso-keycloak.j2 | 16 +++++++ .../templates/redhat-sso-namespace.j2 | 6 +++ .../templates/redhat-sso-operatorgroup.j2 | 8 ++++ .../templates/redhat-sso-subscription.j2 | 11 +++++ .../openshift-redhat-sso/vars/main.yml | 1 + 12 files changed, 173 insertions(+), 13 deletions(-) create mode 100644 automation-generators/generic/openshift_redhat_sso/main.yaml create mode 100644 automation-generators/generic/openshift_redhat_sso/preprocessor.py create mode 100644 automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-keycloak.yml create mode 100644 automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-keycloaks.yml create mode 100644 automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-openshift-redhat-sso.yml create mode 100644 automation-roles/40-configure-infra/openshift-redhat-sso/tasks/main.yml create mode 100644 automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-keycloak.j2 create mode 100644 automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-namespace.j2 create mode 100644 automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-operatorgroup.j2 create mode 100644 automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-subscription.j2 create mode 100644 automation-roles/40-configure-infra/openshift-redhat-sso/vars/main.yml diff --git a/automation-generators/generic/openshift_redhat_sso/main.yaml b/automation-generators/generic/openshift_redhat_sso/main.yaml new file mode 100644 index 000000000..73b314ff7 --- /dev/null +++ b/automation-generators/generic/openshift_redhat_sso/main.yaml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/automation-generators/generic/openshift_redhat_sso/preprocessor.py b/automation-generators/generic/openshift_redhat_sso/preprocessor.py new file mode 100644 index 000000000..77e448bab --- /dev/null +++ b/automation-generators/generic/openshift_redhat_sso/preprocessor.py @@ -0,0 +1,18 @@ +from generatorPreProcessor import GeneratorPreProcessor +import sys + +# Validating: +# --- +# openshift_sso: +# - openshift_cluster_name: {{ env_id }} + +def preprocessor(attributes=None, fullConfig=None, moduleVariables=None): + g = GeneratorPreProcessor(attributes,fullConfig,moduleVariables) + + g('openshift_cluster_name').isRequired() + + result = { + 'attributes_updated': g.getExpandedAttributes(), + 'errors': g.getErrors() + } + return result \ No newline at end of file diff --git a/automation-roles/40-configure-infra/configure-openshift/tasks/main.yml b/automation-roles/40-configure-infra/configure-openshift/tasks/main.yml index 989942bf8..9e587666a 100644 --- a/automation-roles/40-configure-infra/configure-openshift/tasks/main.yml +++ b/automation-roles/40-configure-infra/configure-openshift/tasks/main.yml @@ -21,6 +21,19 @@ vars: _p_openshift_cluster_name: "{{ current_openshift_cluster.name }}" +- name: Prepare storage for OpenShift cluster {{ current_openshift_cluster.name }} + include_role: + name: prepare-openshift-storage + loop: "{{ current_openshift_cluster.openshift_storage | default([]) }}" + loop_control: + loop_var: current_openshift_storage + +- name: Configure Multi-Cloud Object Gateway + include_role: + name: openshift-mcg + vars: + _p_openshift_cluster: "{{ current_openshift_cluster }}" + - name: OpenShift Advanced Data Protection operator include_role: name: openshift-adp @@ -45,6 +58,10 @@ vars: _p_upstream_dns: "{{ current_openshift_cluster.upstream_dns | default([]) }}" +- name: Configure Red Hat SSO for OpenShift cluster {{ current_openshift_cluster.name }} + include_role: + name: openshift-redhat-sso + - name: Configure logging for OpenShift cluster {{ current_openshift_cluster.name }} include_role: name: openshift-logging @@ -53,19 +70,6 @@ include_role: name: openshift-monitoring -- name: Prepare storage for OpenShift cluster {{ current_openshift_cluster.name }} - include_role: - name: prepare-openshift-storage - loop: "{{ current_openshift_cluster.openshift_storage | default([]) }}" - loop_control: - loop_var: current_openshift_storage - -- name: Configure Multi-Cloud Object Gateway - include_role: - name: openshift-mcg - vars: - _p_openshift_cluster: "{{ current_openshift_cluster }}" - - name: Configure GPU for the OpenShift cluster include_role: name: openshift-gpu diff --git a/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-keycloak.yml b/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-keycloak.yml new file mode 100644 index 000000000..e7d19ebc2 --- /dev/null +++ b/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-keycloak.yml @@ -0,0 +1,23 @@ +--- +- name: Generate yaml for Keycloak {{ _current_keycloak.name }} + template: + src: redhat-sso-keycloak.j2 + dest: "{{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-{{ _current_keycloak.name }}-keycloak.yaml" + +- name: Create Keycloak from YAML file {{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-{{ _current_keycloak.name }}-keycloak.yaml + shell: | + oc apply -f {{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-{{ _current_keycloak.name }}-keycloak.yaml + +- name: Wait until Keycloak {{ _current_keycloak.name }} is ready + shell: | + oc get Keycloak -n {{ _v_redhat_sso_project }} {{ _current_keycloak.name }} \ + -o jsonpath='{.status.ready}' + register: _keycloak_status + retries: 30 + delay: 30 + until: (_keycloak_status.stdout | lower) == "true" + vars: + ansible_callback_diy_runner_retry_msg: >- + {%- set result = ansible_callback_diy.result.output -%} + {%- set retries_left = result.retries - result.attempts -%} + Retrying: {{ ansible_callback_diy.task.name }} ({{ retries_left }} Retries left) ... \ No newline at end of file diff --git a/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-keycloaks.yml b/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-keycloaks.yml new file mode 100644 index 000000000..97150e778 --- /dev/null +++ b/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-keycloaks.yml @@ -0,0 +1,6 @@ +--- +- name: Provision Keycloak CRs + include_tasks: configure-keycloak.yml + loop: "{{ _p_openshift_redhat_sso.keycloak | default([]) }}" + loop_control: + loop_var: _current_keycloak \ No newline at end of file diff --git a/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-openshift-redhat-sso.yml b/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-openshift-redhat-sso.yml new file mode 100644 index 000000000..680f23895 --- /dev/null +++ b/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-openshift-redhat-sso.yml @@ -0,0 +1,44 @@ +--- +- name: Generate yaml for redhat-sso namespace + template: + src: redhat-sso-namespace.j2 + dest: "{{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-namespace.yaml" +- name: Create redhat-sso namespace + shell: | + oc apply -f {{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-namespace.yaml + +- name: Generate yaml for Red Hat SSO operator group + template: + src: redhat-sso-operatorgroup.j2 + dest: "{{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-operatorgroup.yaml" + +- name: Create redhat-sso operatorgroup + shell: | + oc apply -f {{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-operatorgroup.yaml + +- name: Generate yaml for Red Hat SSO subscription + template: + src: redhat-sso-subscription.j2 + dest: "{{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-subscription.yaml" + +- name: Create redhat-sso operator + shell: | + oc apply -f {{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-subscription.yaml + +# Wait until subscription has been successfully created +- name: Wait until Red Hat SSO has status Succeeded + shell: | + oc get csv -n {{ _v_redhat_sso_project }} \ + -l operators.coreos.com/rhsso-operator.redhat-sso \ + --no-headers \ + -o custom-columns='name:metadata.name,phase:status.phase' | \ + grep -i succeeded | wc -l + register: _redhat_sso_csv_status + retries: 30 + delay: 30 + until: _redhat_sso_csv_status.stdout == "1" + vars: + ansible_callback_diy_runner_retry_msg: >- + {%- set result = ansible_callback_diy.result.output -%} + {%- set retries_left = result.retries - result.attempts -%} + Retrying: {{ ansible_callback_diy.task.name }} ({{ retries_left }} Retries left) ... \ No newline at end of file diff --git a/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/main.yml b/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/main.yml new file mode 100644 index 000000000..45bca02f3 --- /dev/null +++ b/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- set_fact: + _p_openshift_redhat_sso: {} + +- when: "all_config.openshift_redhat_sso is defined" + block: + - debug: + var: all_config.openshift_redhat_sso + - set_fact: + _p_openshift_redhat_sso: "{{ all_config.openshift_redhat_sso | json_query(query) | first | default({}) }}" + vars: + query: >- + [?openshift_cluster_name=='{{ current_openshift_cluster.name }}'] + - name: Show OpenShift Red Hat SSO for current cluster + debug: + var: _p_openshift_redhat_sso + +- include_tasks: configure-openshift-redhat-sso.yml + when: _p_openshift_redhat_sso != {} + +- include_tasks: configure-keycloaks.yml + when: _p_openshift_redhat_sso != {} \ No newline at end of file diff --git a/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-keycloak.j2 b/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-keycloak.j2 new file mode 100644 index 000000000..04801fe98 --- /dev/null +++ b/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-keycloak.j2 @@ -0,0 +1,16 @@ +--- +apiVersion: keycloak.org/v1alpha1 +kind: Keycloak +metadata: + name: {{ _current_keycloak.name }} + labels: + app: sso + namespace: {{ _v_redhat_sso_project }} +spec: + externalAccess: + enabled: true + keycloakDeploymentSpec: + imagePullPolicy: Always + postgresDeploymentSpec: + imagePullPolicy: Always + instances: 1 \ No newline at end of file diff --git a/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-namespace.j2 b/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-namespace.j2 new file mode 100644 index 000000000..5b2d7be52 --- /dev/null +++ b/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-namespace.j2 @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ _v_redhat_sso_project }} + annotations: + openshift.io/node-selector: "" \ No newline at end of file diff --git a/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-operatorgroup.j2 b/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-operatorgroup.j2 new file mode 100644 index 000000000..72ce3fc73 --- /dev/null +++ b/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-operatorgroup.j2 @@ -0,0 +1,8 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: redhat-sso-og + namespace: {{ _v_redhat_sso_project }} +spec: + targetNamespaces: + - {{ _v_redhat_sso_project }} \ No newline at end of file diff --git a/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-subscription.j2 b/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-subscription.j2 new file mode 100644 index 000000000..d9217e394 --- /dev/null +++ b/automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-subscription.j2 @@ -0,0 +1,11 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: redhat-sso + namespace: {{ _v_redhat_sso_project }} +spec: + channel: stable + name: rhsso-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic \ No newline at end of file diff --git a/automation-roles/40-configure-infra/openshift-redhat-sso/vars/main.yml b/automation-roles/40-configure-infra/openshift-redhat-sso/vars/main.yml new file mode 100644 index 000000000..e65bf4c04 --- /dev/null +++ b/automation-roles/40-configure-infra/openshift-redhat-sso/vars/main.yml @@ -0,0 +1 @@ +_v_redhat_sso_project: redhat-sso \ No newline at end of file